Introduction
In order to connect to Kubernetes cluster via Boundary, the below set of steps must be performed:
- authenticate to Boundary
- authorize the session
- obtain the authorization token
- generate the proxy url/port/session
- open a new session of the same VM
- export the port/service account token &
- run the kubectl commands to obtain the required details from Kubernetes Cluster
which is a time-consuming task.
Solution:
In the interest of time, a shell script can be used that will perform all the above tasks, and the same VM session can be used to connect to the Kubernetes Cluster through Boundary.
*Note:- BOUNDARY_ADDR & BOUNDARY_TOKEN environment variable need to be set before running the script.
This script has been tested with BOUNDARY ENTERPRISE 0.13.2+ent version
Configure below variables in the script:
K8S_CA_CERT_PATH - Kubernetes cluster CA certificate path
BOUNDARY_SCOPE_ID - Boundary project ID for which the Kubernetes target is created.
K8S_TLS_SERVER_NAME - TLS server name in Kubernetes cluster CA certificate
TARGET_NAME - Target name to whom you want to connect
#!/bin/bash
#I have provided the dummy entries for the variables
export BOUNDARY_LISTEN_ADDRESS=127.0.0.1
export BOUNDARY_LISTEN_PORT=65000
export K8S_SERVER=https://$BOUNDARY_LISTEN_ADDRESS:$BOUNDARY_LISTEN_PORT
export K8S_CA_CERT_PATH=/home/vagrant/ca.crt
export K8S_TLS_SERVER_NAME=kubernetes
export BOUNDARY_SCOPE_ID=p_aE5cK8FLcs
export TARGET_NAME=my-kubernetes-cluster-target
eval $(boundary targets authorize-session -token="env://BOUNDARY_TOKEN" -name $TARGET_NAME -format json | jq -r '"export AUTHZ_TOKEN="+.item.authorization_token, (.item.credentials[].secret.decoded.service_account_token | select(. != null) | "export K8S_TOKEN="+.)')
echo "Setting alias \"kb\" to run kubectl commands against the local Boundary session"
alias kb="kubectl --server $K8S_SERVER --token $K8S_TOKEN --certificate-authority $K8S_CA_CERT_PATH --tls-server-name $K8S_TLS_SERVER_NAME"
boundary connect -authz-token $AUTHZ_TOKEN -listen-addr $BOUNDARY_LISTEN_ADDRESS -listen-port $BOUNDARY_LISTEN_PORT &
echo "You may now use \"kb\" to run kubectl commands"
Once the script executes; it will create a proxy which will listen on 127.0.0.1:65000. Hit enter and continue in the same session to run the below command.
The below command gets you access to the Kubernetes cluster
source ./connect_k8s.sh
#Above command should create a new Boundary session on 127.0.0.1:65000
#Use alias kb to run "kubectl" commands
kb get pods